Due to their prevalence in today's society, the internet and other types of networks have become a hub for criminal activity. Often times cyber-criminals or other threat actors attempt to install or otherwise deploy harmful applications on unprotected systems or devices. Once a threat actor obtains access to a targeted system or device, they may perform further actions such as stealing data, escalating their privileges, or the like.
Certain activity on a network may be indicative that a threat actor is, for example, profiling the network, profiling devices on the network, transferring data to/from network devices, installing harmful applications on network devices, or the like. For example, a high amount of network traffic may indicate an attack. Or, although not necessarily indicative of a threat, some network devices may exhibit behavior or act in ways that nonetheless warrant further investigation.
Existing techniques for gathering data regarding network device behavior or activity may involve actively scanning network devices. However, these techniques create new network traffic in addition to the network traffic already present. These active scanning tools may also undesirably affect the operation of network devices and increase congestion on networks.
A need exists, therefore, for systems and methods for detecting anomalous network device activity that overcome the disadvantages of existing techniques.